Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: Add section on how to lock down/restrict the default project #21757

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
+21 −1
Open

docs: Add section on how to lock down/restrict the default project #21757

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ce48044
docs(projects): Add section on how to restrict the default project
dag-andersen Feb 3, 2025
90fabf7
docs(project): add namespaceResourceBlacklist
dag-andersen Feb 3, 2025
85e6324
Merge branch 'master' into docs-restrict-default-project
dag-andersen Feb 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 21 additions & 1 deletion docs/user-guide/projects.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Projects provide a logical grouping of applications, which is useful when Argo C

### The Default Project

Every application belongs to a single project. If unspecified, an application belongs to the `default` project, which is created automatically and by default, permits deployments from any source repo, to any cluster, and all resource Kinds. The default project can be modified, but not deleted. When initially created, it's specification is configured to be the most permissive:
Every application belongs to a single project. If unspecified, an application belongs to the `default` project, which is created automatically and by default, permits deployments from any source repo, to any cluster, and all resource Kinds. When initially created, it's specification is configured to be the most permissive:

```yaml
spec:
Expand All @@ -23,6 +23,26 @@ spec:
kind: '*'
```

The `default` project can be modified, but not deleted. The project is useful for initial testing, but it is recommended to create dedicated projects with explicit source, destination, and resource permissions.

To remove all permissions from the `default` project, apply the following manifest to the namespace where Argo CD is installed:

```yaml
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: default
spec:
sourceRepos: []
sourceNamespaces: []
destinations: []
namespaceResourceBlacklist:
- group: '*'
kind: '*'
```

After you modify the `default` project, any application that attempts to use it will be denied until you explicitly move the application to a more permissive project.

### Creating Projects

Additional projects can be created to give separate teams different levels of access to namespaces. The following command creates a new project `myproject` which can deploy applications to namespace `mynamespace` of cluster `https://kubernetes.default.svc`. The permitted Git source repository is set to `https://github.com/argoproj/argocd-example-apps.git` repository.
Expand Down